A network address translation (NAT) device, or gateway device, multiplexes network client traffic between network spaces. Typically, the gateway device translates multiple source Internet protocol (IP) addresses from a private network namespace into a single IP address point of origin in the Internet (or other external) namespace. Similarly, the gateway device translates multiple source IP addresses from the Internet into a single IP address in the private network namespace, such that connections from multiple external sources appear on the internal network as being associated with the same source IP address, i.e., that of the gateway device.
FIG. 1 illustrates a gateway device multiplexing network client traffic between two network spaces. Network space 100, labeled Internet, contains a plurality of network-connected hosts (e.g., host 102). Network space 110, labeled subnet, contains network hosts. The network hosts in the example shown include web server 112, mail server 114, and application server 116, but more or fewer hosts may exist in the network space. Network traffic between network space 100 and network space 110 passes through gateway 106. Gateway 106 presents a single IP address 104 to network space 100 and similarly a single IP address 108 to network space 110.
Having separate Internet and private network namespaces improves security, because traffic must pass through the gateway device in order to reach the one network from the other, and saves resources by conserving the number of IP addresses used in private networks and in the Internet.
A problem arises when there is a service that limits access by source IP address. For example, a service may limit the number of connections that can be made from a single IP address. The term “source restricting service” is used herein to refer to a service or other network-based resource that limits the number of connections that can be made or maintained at a time by a single source. In a typical configuration, clients on one side of a gateway device that wish to simultaneously connect to a service on the other side of the gateway device (e.g., application server 116 in the example shown in FIG. 1) appear to the service as multiple requests from a single client. The service will then either accept first requestors, but deny subsequent requestors after a service request limit has been reached, or accept first requestors, and accept subsequent requestors and disconnect first requestors to stay within a service request limit. In either case, the gateway device solution results in denial of service to some requestors and has scalability problems because the larger the networks on either side of the gateway device, the more clients will appear to come from the same entity and be limited by a source based restriction.
One possible solution would be to have the gateway device either not be present or not use NAT, such that each host on the external network would appear to a host on the internal network to have a different source IP address, i.e., its globally unique IP address on the external network. FIG. 2 illustrates an approach in which NAT is not used such that each host on the external network appears to hosts on the internal network to have a different (i.e., unique) IP address. Network space 200, labeled Internet, has network hosts 208, 210, 212, and 214 each of which has a globally unique IP address in the external network (i.e., Internet) namespace. External hosts 208-214 connect to application server 230, mail server 232, and web server 234 on internal network 240, either directly or via a gateway or other intermediary device not using NAT, such that each connection is associated with a unique source IP address. In the example shown in FIG. 2, external hosts 208 and 210 have connected to application server 230 each using its own source IP address, such that no problem would arise if application server 230 limited connections to one per source IP address. The problem with the solution illustrated in FIG. 2 is that it consumes resources in external network namespace, because it requires that each host on internal network 240 be assigned an IP address that is unique in the external network namespace. In addition, it discards the security benefits gained from having disjoined namespaces, as outlined above. Furthermore, it could be entirely unnecessary if there is never an attempt by multiple clients on the external network to access a service on the internal network that has a source-based limitation associated with it.
Therefore, there is a need for a solution that allows a gateway to serve the need of multiple clients from one network space to simultaneously access a source restricting service without consuming unnecessarily network space resources.